But he said the FBI does share threat information regularly. “We provide notifications to private sector entities all the time, we certainly coordinate immediately and directly with the affected entity and assist them and DHS (Department of Homeland Security) in doing whatever is necessary to repel that attack.
“The problem is, you don't see everything,” he said. “The more information we are able to share with the private sector, the academic sector, the better our detection ability becomes.
“We've got to get to that point where folks are comfortable sharing information and ultimately providing access if we expect the FBI and DHS and our Secret Service and our other partners in government to be able to be more proactive in the way we address the threats,” he said.
However, there remains within private industry a strong belief that government is much more interested in collecting data from the private sector than in sharing what it has. Justin Harvey, CSO of Fidelis Cybersecurity, was one of a number of security experts who said in January, after CISA’s passage that he believed it was, “meant to be a surveillance bill from the start,” and lacked adequate privacy protections.
Government speakers at the summit insisted they are committed to sharing.
On a panel titled, “National Security: Hacking Democracy,” Arizona Secretary of State Michele Reagan spoke of her state’s election systems being hacked, allegedly by Russia, and said it will take a serious effort of public education by government to maintain the public’s confidence in the results of the coming election.
“It’s made people think twice about registering to vote,” she said. “We know things get shaken when people are afraid.”
The bottom line, most agreed, is that increasing private sector information sharing will be a heavy lift.
“A lack of trust with the FBI specifically is not the only driver,” McCabe said. Another is that private entities don’t want it known that they were hacked. “There's obvious economic repercussions. There's shareholder value issues. So it's a complicated mixture,” he said.
Isaacson asked if it would help to have a law that banned, “derivative shareholder lawsuits if somebody discloses in real time that they've been hacked?”
McCabe said he has nothing to do with filing or passing legislation. But he agreed that it would help. “More information is better for us. That's our chance of getting out in front of this threat.”
Sign up for CIO Asia eNewsletters.